Q&A Document for Washington Post Going Dark Interview 

Answers vetted and approved by OTD, OGC 


’ ■ How?' ‘"ft-"™™* over (ho pas, year? 

The impediments faced by law enforcement have been getting woise for quite some time As 

services. Traditional providers have been covered since 1994 and VnTP u ^ u 

been coveted since a 2005 FCC ruling. Thafs atXl'r^^oTL" 

Over Ae last year many providers have used what has been reported in the media about bulk 
CO lection to keep law enforcement at a distance even Aough iL enfore^en^S ndAer Ac 
atones nor comparable capabilities to Aose reported. Uw enfore3, “d^eS of 
dn-ect provider assistance to conduct court ordered electromc surveillance 


experienced any reduced cooperation from communication providers as a 
result of the disclosures attributed to Edward Snowden? provioers as a 

Yra. There is a growing concern wiAin Ae industiy that Ae perception of assistina law 
Asregardmg Aeir user’s rights to privacy. In adAtion to previding eXS oJS^ Z 

“e^eSr -ssmy-Lfomialon ZS^c^lm 

^ Aat law enforcement must abide by Ae rigorous consmicts of law when t 

m^a?n^s'?f Ltf T"”® ^ ■>«< bemg developed to address Ae real day- 

to day needs of law enforcement when a court grants that lawful authority. ^ 


whin t believe companies should be forced to build in backdoors 

when designing services? Don’t baekdoore pose a seenriD’ risk for companies? 

iSlZrf misperception of what law enforecment needs and what law enforcement is 

I TZ'Z r"' for unfettered access into any provida’s network 

Let s mlk about Ae CALEA paredigm - Ae iudustry develops a techuic^;! s JdaS 



it ensures^hs network^is^'caSS^^^^^ 

"co-r:sir rf rr «■' 

It s important to stress that an open, transparent process for identifying technical canabilitipc 

-cir=X“trsrsi';:Jss'i,r » 


'■ t?eN™AcV""'^^^ Isit working as expected? Can I learn more about 

7hT.h^^ NDCAC was designed as a hub for technical knowledge management that facilitates 

enforcements relatiSps t^riheTo^ZkroS If 

mdu^’fa^siW on 

^S-li3S^I=. 

More infonnation is available on the website: httD://www -He^e e,-,-, p„.. 


5. It has been reported the government receives a daUy dumn screen shots from 
companies...why is this not good enough? “““P -screen shots from 

In some cases subject to legal process, it may be enough that law enforcement receives a daily 



[n^mptete o^iS^OTovided '" f’e information is 

Also, not ev^ company has the capability. Further, there is si^ificant disparii to whm ' 
coZtocy”acS™o^ A *" '“* “ »™Ply not a lot of 

“ issue with law enforcement receiving “screen shots” in that they are tynicallv no 

“ eXr: “:,y^r 


'’• Sryt Ho. many 

T^ere are a number of ways companies can thwart law enforcement’s attempts - refusing to 
implement a court order or delaying that implementation can irreparably set-back an ^ 
mvespgahon. Law enforcement understands that there may be ir^ta^ces wier" t "technically 
not feasible for a company to provide assistance, but absent some insight into how a comnanv^ 
provides se^ice, it is impractical for law enforcement to ^mdcrst^dTr^tM 
instances where a company refuses to comply with a court order 


J’r !!!■' “'“‘^■yptiod gotten worse since Snowden, with more companies 

advertising encryption services? How is the FBI dealing with enhanced enei^ption? 

Yes. In the rush to address bulk collection, law enforcement’s needs are being overlooked 

reasonable in <”• government requests to ensure that they are legal and 

What IS missing is a vigorous commitment to assist law enforcement when electronic 



™ '“ “.T f ™'“' “ ft™ework under which both 

inH?, w ^ J ^ ^ ® appropriate balance among the public’s privacy interests the 

.nd>«hy s goals of competition and innovation, and the nlteds of lawetrfiJSer 


Provided separately 



FoIIow-up Q4&S for Washington Post Going Dark Interview 

Answers vetted and approved by OTD, OGC 


1. Here’s the dilemma as the government sees it. Wiretap law requires a company or 
individual to provide “technical assistance” to an offieial with a valid electronic 
surveillance order. But most Internet-related companies are not required by law to 
make sure that their systems are wiretap-ready. And the phrase “teehnical assistance” 
is vague, permitting differences of interpretation. Correet? 

Yes. The dilemma can best be characterized as follows. The impediments faced by law 
enforcement have been getting worse for quite some time. As technology continues to advance, 
new services are introduced, and the number of providers increase, law enforcement faces an 
increasing number of diverse challenges. Many of the newest commimications services are 
developed and deployed without consideration of law enforcement’s “lawful intercept” needs 
(i.e., legally authorized electronic surveillance). CALEA applies to traditional 
teleco mmuni cations carriers, providers of interconnected Voice over Internet Protocol (VoIP) 
services, and providers of broadband access services. “Traditional” providers have been covered 
under CALEA since 1994, and VoIP and broadband have been covered since a 2005 FCC ruling. 
That is a long time ago in terms of this industry and CALEA does not impact a significant 
number of communications service providers in today’s markeqtlace. 

It is also important to note that the “technical assistance” clause in federal wiretap law is often 
insufficient. The assistance furnished by some providers simply does not provide law 
enforcement with the information it requested and which it needs to fiilly imderstand or acquire 
the relevant communications. It is more than a difference of interpretation in that, without more 
specific guidance as to what constitutes “technical assistance,” a provider may do all that it can 
^md still not be able to provide law enforcement the information it needs to do its job. 

As a practical matter, a CALEA compliant provider who has a built an intercept capability into 
its architecture will most likely be able to assist law enforcement immediately, whereas a 
provider that has no solution and attempts to render “technical assistance” likely will not. In 
most instances, providers attempting to render assistance must divert resources to react to an 
immediate situation, such as a hostage-taking or kidnapping scenario, where time is of the 
essence. Despite their best efforts, critical information will be lost due to the delay. 


2. Wanted to confirm that Amy was saying: Anything short of real time interception is not 
fully complying “because we didn't get all the information we needed or because it 
wasn’t provided consistently.” 

In many instances, information provided in response to intercept orders is incomplete or not 
provided in a timely manner to support every type of investigative requirement, especially when 
dealing with crimes in motion (e.g., kidnapping, extortion, drug trafficking). Also, not every 
company has an intercept capability and there is significant disparity in what companies offering 
similar services can provide to law enforcement. There is simply a lack of consistency across the 



industry. The lack of capability and lack of consistency negatively impact law enforcement’s 
ability to fully understand the extent of a criminal’s activities, identification of co-conspirators, 
and location of victims. 


3. On DRIP: It looks like the British parliament is going to pass the law. It will not only 
ensure that U.K. companies store customer data for the government but it gives the 
government the right to require non-U.K. companies outside the country to build 
wiretap capabilities. My understanding is that the FBI several years ago floated draft 
legislation that included an analogous provision — ^to require non US companies outside 
the US to build wiretap capabilities if directed, but the proposal died. Please let me 
know if that is not correct. 

It is prematoe to comment on how the UK legislation will impact United States law 
enforcement's ability to effect court orders, however, it does reflect the fact that the UK is facing 
a similarly daunting challenge in conducting electronic surveillance. 

4. Also, I am told that there has never been a fine issued under either CALEA or the 2518 
provision of the Wiretap Act. 

It is true that fines have not been issued under the CALEA enforcement provisions set forth in 
Title 18 U.S.C. Section 2522 which, in turn, incorporate the provisions of Section 108 of 
CALEA. As written, the enforcement provisions are cumbersome and the pursuit of 
enforcement can be a lengthy, complicated, and resource-intensive process. In many cases, the 
investigation which identified the capability gap would be closed long before any action would 
be taken. However, it is not correct to imply that the enforcement provision of the law cannot 
have any effect. The enforcement provision allows law enforcement to raise non-compliance 
issues to the attention of a company’s senior management and/or genertil counsel and work 
toward a common understanding of the company’s obligations. Law enforcement and 
prosecutors are more interested in ensuring companies have the appropriate capabilities at their 
disposal when served with a court order than pursuing fines or penalties through prolonged 
litigation of the underlying issues, but this option remains viable, if needed. 

5. Still would like to know your response to experts who say that building in a wiretap 
solution builds in insecurity into the system. 

Developing intercept solutions during the service’s design phase allows providers to minimize 
risk from the outset. Such solutions are likely to be better, smarter, cheaper, and more secure 
than solutions that are retrofitted to existing products. There was similar apprehension during 
the initial stages of discussions about CALEA, i.e. that there would be an increased security risk 
in having technical solutions resident in carriers’ networks. That prediction has not come to pass. 
In fact, as intended when CALEA was passed, individuals’ privacy interests are better protected 
when a company has an intercept solution in place that allows them to isolate and provide to law 
enforcement only those communications of the individuals who are subject to the court order. 



An open, transparent process for identifying technical lawful intercept capabilities benefits 
everyone. Privacy advocates and the public can be assured the capabilities are commensurate 
with authorities that already exist and are granted to law enforcement by statute. In other words, 
law enforcement is not asking for additional authorities, but rather just the ability to use the 
authorities we already have. Under this construct, industry will clearly understand its 
responsibilities and all providers will be held to the same standard (i.e., the level playing field). 
Moreover, law enforcement can be assured it will receive wh^t it is authorized to collect, 
regardless of service provider. 

6. Still interested in the rough number of companies/apps that the FBI knows will not 
provide RT data. 

There are hundreds of communication service providers which meet this definition. The FBI has 
experienced numerous situations when a communication service provider cannot or will not 
provide real time data. In some instances, the FBI leverages its Engineering Research Facility to 
help develop a solution, working cooperatively with the company. In other situations, depending 
on the nature of the service, it may be feasible to gain alternative access to another service 
provider and isolate the communications of the suspect. There have been instances where those 
avenues are determined to not be feasible and the FBI does not pursue obtaining a court order. 
The number of such communication service providers that offer new services which do not have 
an electronic surveillance capability continues to grow as technology continues to evolve. 



